From: Timo Sirainen Date: Fri, 22 Dec 2017 16:36:55 +0000 (+0200) Subject: lib-mail: Fix out-of-bounds read when parsing an invalid email address X-Git-Tag: 2.3.9~2173 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d949689911a2321cd711c70665f3f11dcafbbbd3;p=thirdparty%2Fdovecot%2Fcore.git lib-mail: Fix out-of-bounds read when parsing an invalid email address The included unit test doesn't fail, but running it with valgrind shows "Invalid read of size 1" error. Broken in d6737a17a27402e7a262f7ba8a2ed588d576f23c Discovered by Aleksandar Nikolic of Cisco Talos --- diff --git a/src/lib-mail/message-address.c b/src/lib-mail/message-address.c index c1ffe72f56..bee91427a1 100644 --- a/src/lib-mail/message-address.c +++ b/src/lib-mail/message-address.c @@ -222,7 +222,8 @@ static int parse_addr_spec(struct message_address_parser_context *ctx) /* end of input or parsing local-part failed */ ctx->addr.invalid_syntax = TRUE; } - if (ret != 0 && *ctx->parser.data == '@') { + if (ret != 0 && ctx->parser.data != ctx->parser.end && + *ctx->parser.data == '@') { ret2 = parse_domain(ctx); if (ret2 <= 0) ret = ret2; diff --git a/src/lib-mail/test-message-address.c b/src/lib-mail/test-message-address.c index 7f5103c1f1..e0057fd9db 100644 --- a/src/lib-mail/test-message-address.c +++ b/src/lib-mail/test-message-address.c @@ -198,6 +198,16 @@ static void test_message_address(void) { "<@>", "", "", { NULL, NULL, NULL, "", "", TRUE }, { NULL, NULL, "INVALID_ROUTE", "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, 0 }, + + /* Test against a out-of-bounds read bug - keep these two tests + together in this same order: */ + { "aaaa@", "", "", + { NULL, NULL, NULL, "aaaa", "", TRUE }, + { NULL, NULL, NULL, "aaaa", "MISSING_DOMAIN", TRUE }, 0 }, + { "a(aa", "", "", + { NULL, NULL, NULL, "", "", TRUE }, + { NULL, NULL, NULL, "MISSING_MAILBOX", "MISSING_DOMAIN", TRUE }, + TEST_MESSAGE_ADDRESS_FLAG_SKIP_LIST }, }; static struct message_address group_prefix = { NULL, NULL, NULL, "group", NULL, FALSE